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BACKGROUND OF THE INVENTION 
FIELD OF THE INVENTION 

[002] The present invention relates to a network system between client 
computers and server computers, and more particularly to a server computer protection 
apparatus which protects a server computer from illicit access that intentionally hampers 
server computer operations. 
DESCRIPTION OF THE RELATED ART 

[003] In recent years, client/server systems, which comprise unspecified or 
specified client computers connected to one or more server computers via networks such 
as wide area networks, for example, the Internet, or local area networks, have been 
utilized in order to supply data from the server in compliance with requests made by the 
clients. 

[004] Packets which include transmission data reconstructed into a 
predetermined size with destination information affixed thereto, are generally utilized as 
the format of data which flows through a network such as the Internet. The packet 
comprises a header and a data body. The header bears an IP (Internet Protocol) address, 
in the case of Internet, and Internet Protocol (IP) address, which indicates the computer 
which transmitted the packet, and an address , for example, and IP address, of a computer 
which is the destination of the packet. 
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[005] Currently, any system connected to such network increasingly undergo 
attacks over the network. Such attacks are intend to cause systemic failures. One such 
attacking method is a Denial of Service ("DoS") attack. A DoS attack is an attack 
whereby a large quantity of access requests are simultaneously made upon a server 
computer by one client. The large quantity of access requests hampers the availability of 
the server and makes service substantially impossible. 

[006] This attacking method is hard to distinguish from an access request made 
by a legal client which does not intend to attack the system. Therefore, it is difficult to 
avoid the attack on the server side. In some cases, the server undergoes DoS attacks from 
a plurality of clients. In this case, the DoS attack is called a Distributed Denial of Service 
attack or DDoS attack. 

[007] When a server receives a large quantity of requests which exceed the 
processing ability of the server, the server's resources for communication processing, for 
example, memory areas and line bandwidths, are successively reserved for the respective 
large quantity of requests until the server's resources finally become insufficient. As a 
result, the server fails to respond to the request from a legal client not intending 
interference, or communication between the client and server stagnates seriously. 

[008] Heretofore, a conventional server computer protection apparatus has been 
arranged between the server and the network in order to exclude the attacks. The server 
computer protection apparatus processes only access requests, which are repeated a 
number times, as a legal access request from a legal client. Alternatively, the server 
computer protection apparatus processes access requests from a client, which has already 
given legal access, as a legal access request, and annuls packets as to the other access 
requests made by example. 
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[009] Such a method, however, has the problem that, in a case where the client, 
which intends the attack, makes a large quantity of similar access requests, the attack 
cannot be prevented by the conventional server computer protection apparatus. 

[010] Furthermore, even when the above problem has been solved, the 
conventional server computer protection apparatus is still unsatisfactory. For example, 
when a legal client makes a large quantity of access requests, the clients access requests 
are judged as a DoS attack. Thus, in the convention protection apparatus legal requests 
are sometimes regarded as illicit access in spite of being legal. In such a case, the legal 
client's connection is cut off, and hence, the client's business is impeded. 

SUMMARY OF THE INVENTION 
[011] The present invention is direct to a server computer protection apparatus 
and a server computer protection method which can protect a server against attacks from 
unspecified clients, but which allow access to a client that is legally accessing the server. 

[012] According to an aspect related to the present invention, there is provided a 
server computer protection method and apparatus, the method comprising: accepting data 
requests sent from client computers, as proxy for the server computer; measuring a 
number of data requests which have arrived from said client computers within a 
predetermined time period; measuring a number of responses which have been made from 
said server computer to said client computers within the predetermined time period; 
obtaining a load state of said server computer by using the number of the data requests and 
the number of the responses; and changing a rate of the number of data requests based on 
the obtained load state. 

[013] According to other aspect related to the present invention, there is 
provided a server computer protection method and apparatus, the method comprising: 
accepting data requests sent from client computers, as proxy for the server computer; 
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receiving from said server computer, information on a processing situation of said server 
computer; obtaining a load state of said server computer from the processing situation 
information; and changing a rate of a number of data requests based on the load state. 

[014] Additional advantages of the invention will be set forth in part in the 
description which follows, and in part will be obvious from the description, or may be 
learned by practice of the invention. The advantages of the invention will be realized and 
attained by means of the elements and combinations particularly pointed out in the 
appended claims. 

[015] It is to be understood that both the foregoing general description and the 
following detailed description are exemplary and explanatory only and are not restrictive 
of the invention, as claimed. 

[016] The accompanying drawings, which are incorporated in and constitute a 
part of this specification, illustrate several aspects of the present invention and together 
with the description, serve to explain the principles of the invention. 

BRIEF DESCRIPTION OF THE DRAWINGS 

[017] Fig. 1 is a diagram showing an example of a network architecture to which 
a server computer protection apparatus consistent with an aspect related to the present 
invention is applied; 

[018] Fig. 2 is a block diagram showing server computer protection apparatus 
consistent with an aspect related to the present invention; 

[019] Fig. 3 is a flow chart showing an example of an operating flow of the 
server computer protection apparatus shown in Fig. 2; 

[020] Fig. 4 is a flow chart showing an example of the operating flow of the 
server computer protection apparatus shown in Fig. 2; 
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[021] Fig. 5 is a block diagram showing an example of the construction of a 
server computer protection apparatus consistent with an aspect related to the present 
invention; 

[022] Fig. 6 is a flow chart showing an example of the operating flow of the 
server computer protection apparatus shown in Fig. 5; 

[023] Fig. 7 is a block diagram showing an example of the construction of a 
server computer protection apparatus consistent with an aspect related to the present 
invention; 

[024] Figs. 8 A and 8B are flow charts each showing an example of the operating 
flow of the server computer protection apparatus shown in Fig. 7; 

[025] Fig. 9 is a block diagram showing an example of the construction of a 
server computer protection apparatus consistent with an aspect related to the present 
invention; and 

[026] Figs. 10A and 10B are flow charts each showing an example of the 
operating flow of the server computer protection apparatus shown in Fig. 9. 

DETAILED DESCRIPTION OF THE INVENTION 

[027] Reference will now be made in detail to aspect related to the present 
invention, examples of which are illustrated in the accompanying drawings. Wherever 
possible, the same reference numbers will be used throughout the drawings to refer to the 
same or like parts. 

[028] Fig. 1 shows an example of a network architecture to which a server 
computer protection apparatus consistent with an aspect related to the present invention is 
applied. The network architecture comprises clients 101-1, 101-2, 101-3, which are 
computers running applications utilized by users, a network 102, for example, the Internet, 
and a server computer protection apparatus 103. The network architecture also comprises 



a server 104, which is a computer that receives, through server computer protection 
apparatus 103, requests for data that are required by the applications utilized by each 
client 101, and which transmits the requested data through server computer protection 
apparatus 103 to each client 101. Thus, the network architecture constitutes a 
server/client network system wherein clients 101 request server 104 to transmit data 
necessary for processes and the server 104 transmits the data in response to such requests. 
All communication between clients 101 and server 104 is performed through server 
computer protection apparatus 103. 

[029] Fig. 2 shows an example of server computer protection apparatus 103 
consistent with an aspect related to the present invention. Server computer protection 
apparatus 103 includes a data request acceptance unit 201, a data request transfer unit 202, 
a "number of data requests" measurement unit 203, a "number of data supplies" 
measurement unit 204, and a response probability calculation unit 205. 

[030] Fig. 3 illustrates the flow of server computer protection apparatus 103 
consistent with an aspect of the present invention. First, client 101 establishes a 
connection with server 103 (stage 300). After client 101 has established a connection 
with server 104 through server computer protection apparatus 103, client 101 transmits a 
request for data necessary for a process to the server 104 though server computer 
protection apparatus 103 (stage 302). On this occasion, data request acceptance unit 201 
accepts the data request, and the number of requests accepted is measured by "number of 
data requests" measurement unit 203 (stage 304). 

[031] Then, the request accepted by data request acceptance unit 201 is 
transferred toward server 104 by data request transfer unit 202 (stage 306). In response, 
server 104 transmits the data corresponding to the transferred request, toward client 101 
which made the request through the server computer protection apparatus 103 (stage 308). 



On this occasion, "number of data supplies" measurement unit 204 included in server 
computer protection apparatus 103 measures the number of the completions of the 
accepted requests transmitted by server 1 04 (stage 310). That is, when all responses to 
the clients 101 have been completed, the number of accepted requests as measured by 
"number of data requests" measurement unit 203 agrees with the number of completed 
requests as measured by "number of data supplies" measurement unit 204. 

[032] A case is considered in which the number of accepted requests as 
measured by "number of data requests" measurement unit 203 is larger than the number of 
completed requests as measured by "number of data supplies" measurement unit 204. 
The number of accepted requests being larger than the number of completed requests 
signifies that the processing of server 104 for the accepted requests is late which signifies 
a heavy processing load. As the number of accepted requests increases more than the 
number of completed requests, the response of server 104 delays even more. In turn, all 
services offered by the server 104 might stop due to a lack of resources. This event is the 
same as when server 104 is under a DoS attack from client 101. In order to avoid the 
shutdown of server 104, the administrator of server 104 must promptly stop requests 
which are transmitted from clients 101 to server 104. 

[033] However, assuming that clients 101 are merely making legal data requests 
until requests are stopped, the processes of the applications activated in clients 101 are 
interrupted or disabled by the determination of a required shutdown. 

[034] In order to reduce interruption as stated above, response probability 
calculation unit 205 calculates a response probability on the basis of the difference 
between the number of accepted requests and the number of completed requests, at least, 
each time an request is given. Subsequently, response probability calculation unit 205 
supplies the response probability to data request transfer unit 202. The "response 
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probability" termed here signifies the ratio of the number of data responses made within a 
predetermined time period by server 104, to the number of data requests accepted from 
clients 101 within the predetermined time period. When the value of the ratio is large, 
data request transfer unit 202 increases the number of data requests which are to be 
transferred to server 104 within the predetermined time period, among the data requests 
accepted within the predetermined time period. Conversely, when the ratio is small, data 
request transfer unit 202 decreases the number of data requests which are to be transferred 
to server 104 within the predetermined time period. 

[035] Data request acceptance unit 201 annuls data requests which are not 
transferred by data request transfer unit 202 because the number of requests to be 
transferred within the predetermined time period has been decreased. Alternatively, data 
request acceptance unit 201 can retain the data requests. In the case where the data 
requests are retained without being annulled, a constituent for transferring the retained 
data requests asynchronously to new data requests is required. 

[036] As described above, when the difference between the number of accepted 
requests and the number of completed requests becomes small, response probability 
calculation unit 205 judges the load of server 104 is light, and response probability 
calculation unit 205 calculates the response probability to be high. In contrast, when the 
difference between the numbers of accepted and completed requests becomes large, 
response probability calculation unit 205 judges the load of server 104 is heavy, and 
response probability calculation unit 205 calculates the response probability to be low. 

[037] The process provides a server computer protection apparatus which 
relaxes the influence of the DoS attack as a burden on the server and shuts it down, and 
does not stop the process of the client. 
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[038] Incidentally, regarding the number of accepted requests in "number of 
data requests" measurement unit 203 and the number of completed requests as measured 
by "number of data supplies" measurement unit 204, only a differential value may well be 
held by, for example, adding the former requests and subtracting the latter requests. 
Server computer protection apparatus 103 permits the comparison of both the sorts of 
requests. 

[039] Fig. 4 shows an example of the operating flow of the server computer 
protection apparatus consistent with an aspect related to the present invention. 

[040] After the connection has been established from client 101 to server 104 
through server computer protection apparatus 103, server computer protection apparatus 
103 awaits a data request from the client 101 toward the server 104 (stage 400). When 
the request for data has been made, "number of data requests" measurement unit 203 
increases the number of accepted requests as held in the response probability calculation 
unit 205 by one (stage 402). 

[041] Next, the data request from client 101 as accepted by data request 
acceptance unit 201 is judged as to whether or not it may be transferred to server 104 by 
data request transfer unit 202 (stage 404). In the judgment at the stage 404, the number 
of accepted requests which are not completed yet is used. 

[042] As the number of data responses within a predetermined time period is 
closer to the number of data requests accepted within the predetermined time period, that 
is, as the number of uncompleted accepted requests is small, server computer protection 
apparatus 103 judges that the load of server 104 is lighter. Conversely, as the number of 
data responses within the predetermined time period is smaller than the number of data 
requests accepted within the predetermined time period, that is, as the number of 
uncompleted accepted requests is large, server computer protection apparatus 103 judges 
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that the load of server 104 load is heavier. In a case where the load on this occasion is 
extraordinarily heavy, server computer protection apparatus 103 can judge that server 104 
may be under a DoS attack. 

[043] As stated above, the number of uncompleted accepted requests can be 
adopted as the load state of server 104 for the decision of stage 404. This signifies that 
the number of uncompleted accepted requests is also usable for discriminating if server 
104 is under a DoS attack. Thus, at stage 404, whether or not the new data request from 
client 101 may be transferred is judged in accordance with the number of uncompleted 
accepted requests. When the number of uncompleted accepted requests is small, server 
104 can afford to respond, and, server computer protection apparatus 103 judges that the 
new data request can be transferred. Conversely, when the number of uncompleted 
accepted requests is larger, server 104 might be under the DoS attack, and, server 
computer protection apparatus 103 judges that the new data request may need to be 
annulled. 

[044] Further in addition to accepted and completed responses, criteria 
explained below can be included in probability calculation unit 205 calculation of the 
response probability for data requests that are to be transferred by data request transfer 
unit 202. 

[045] The processing load of server 104 and the occupation of the 
communication line can also be used forjudging that server 104 may possibly be under a 
DoS attack. Since information indicating a data amount is affixed to communication data 
from client 101, the data amount of the data response of server 104 to a data request from 
the client 101 can be measured by "number of data supplies" measurement unit 204. If 
the responsive data amount is large, server 104 expends a high cost in generating response 
data, i.e., more processing and resource allocation. Moreover, a time period to 
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communicate the response data lengthens, and the occupation time of a communication 
line in the network increases. 

[046] If this criterion is utilized, the data amount of the data response is 
considered in the judgment at stage 404 as shown in Fig. 4 in which server computer 
protection apparatus 103 judges whether or not the data request from client 101 as 
accepted by data request acceptance unit 201 may be transferred to server 104 by data 
request transfer unit 202. 

[047] That is, at stage 404, server computer protection apparatus 103 judges 
whether or not the new data request from client 101 may be transferred in accordance with 
the data amount of the data response. When the data amount is small, server 104 can 
afford to respond, and, therefore, server computer protection apparatus 103 judges that the 
new data request can be transferred. Conversely, when the data amount is large, server 
104 might be under a DoS attack and, therefore, server computer protection apparatus 103 
judges that the new data request may need to be annulled. 

[048] Data requests and data responses to them by server 104 are respectively 
endowed with corresponding sequence numbers. It is therefore possible to specify which 
of the data requests a certain data response corresponds to. As another criterion, this 
information can be included in probability calculation unit 205 calculation of the response 
probability for data requests that are to be transferred by data request transfer unit 202. 

[049] In this case, it is assumed that server 104 has responded to a certain data 
request from client 101. Assuming that an acknowledgment for the data response has not 
thereafter been obtained from client 101 for a predetermined time period, server 104 
judges that the pertinent data response has not arrived at client 101, and server 104 
attempts to resend the data response. As stated above, "number of data supplies" 
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measurement unit 204 can specify which of the data requests the resent data response 
corresponds. 

[050] By considering this criterion, server computer protection apparatus 103 
enables server 104 to reliably communicate with client 101, and determine when client 
101 intentionally sends back no acknowledgment. In such a case, server 104 repeats 
resending limitlessly, and in turn, server 104 is burdened with a useless processing load. 
Simultaneously, server 104 ties up the communication line on account of the useless 
resending. Thus, server computer protection apparatus 103 can judge that server 104 may 
possibly be under a DoS attack. 

[05 1] If this criterion is utilized, the number of times of resending of the data 
response is considered in the judgment at that stage 404 as shown in Fig. 4 in which server 
computer protection apparatus 103 judges whether or not the data request from client 101 
as accepted by data request acceptance unit 201 may be transferred to server 104 by data 
request transfer unit 202. 

[052] That is, at stage 404, whether or not the new data request from client 101 
may be transferred is judged in accordance with the number of times of resending of the 
data response. When the number of times of resending is large, the possibility of a DoS 
attack against server 104 is higher, and server computer protection apparatus 103 can 
judge that the new data request may need to be annulled. 

[053] As mentioned above, data request acceptance unit 201 accepts the data 
request from client 101 as proxy for server 104. When the connection with server 104 as 
requested by client 101 has been wrongfully cut off, data request acceptance unit 201 can 
detect the wrongful cutoff. The "wrongful cutoff signifies cutoff based on the detection 
of the fact that a normal communication can no longer be kept due to the transmission 
flow, for example, an abnormal command which does not conform to a protocol for use in 
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communication. Also, "wrongful cutoff can include the reception of a one-sided forced 
cutoff request or the like from client 101. 

[054] When server 104 receives an abnormal command, flow, or forced cutoff 
request, the server/client network must execute a recovery processes of communication 
resources because the received item is unexpected data. In the presence of any renewed 
application which is activated in server 104, the server/client network also must perform a 
renewal cancellation process such as roll-back because of the recovery process. These 
processes often require server 104 to endure heavy loads. When such abnormal 
communications are repeated, the load of server 104 increases, and the processing 
efficiency of the server 104 decreases drastically. Also in this case, server computer 
protection apparatus 103 can judge that server 104 may possibly be under a DoS attack. 

[055] The number of times of the abnormal communications is considered in the 
judgment at stage 404 as shown in Fig. 4 in which server computer protection apparatus 
103 judges whether or not the data request from client 101 as accepted by data request 
acceptance unit 201 may be transferred to server 104 by data request transfer unit 202. 

[056] That is, at stage 404, whether or not the new data request from client 101 
may be transferred is judged in accordance with the number of times of the abnormal 
communications. As the number of times is large, the possibility of the DoS attack 
against server 104 is higher, and, therefore, server computer protection apparatus 103 can 
judge that the new data request is to be annulled. 

[057] Accordingly, by setting several criteria as described above, server 
computer protection apparatus can effectively prevent a DoS attack. 

[058] In another example, in the calculation of the response probability by 
response probability calculation unit 205, response probability calculation unit 205 can 
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include a response probability memory and consider a value stored in this memory, as 
described below. 

[059] Response probability calculation unit 205 judges the load of server 104 on 
the basis of information items which are acquired from "number of data requests" 
measurement unit 203, "number of data supplies" measurement unit 204, and data request 
acceptance unit 201. In this example, a calculated value is not directly converted into the 
load situation of server 104 for judgment, but the value is referenced to the value stored in 
the response probability memory of response probability calculation unit 205. 

[060] In the calculations of server computer protection apparatus 103, the values 
obtained from the respective measurement units have been collectively converted into 
values which indicate load levels of "0" to "10". Depending upon the values obtained 
from the respective measurement units, the load level of server 104 might violently 
change from "0" to "10", and the response probability to be calculated can greatly 
fluctuate. 

[061] Therefore, the values obtained from the respective measurement units are 
collectively converted into a value which falls within a range of ±2. Subsequently, 
response probability calculation unit 205 adds the value collectively obtained to the value 
which is stored in the response probability memory. Then, the value fluctuates only 
within the range of ±2 by one time of measurement, and server computer protection 
apparatus 103 can suppress the great fluctuation of the response probability as in the 
above example based on the assumption that the response probability memory holds the 
values of"0" to "10". 

[062] Assuming that the fluctuation of the response probability proceeds too 
rapidly, the load on server 104 is not constant, and server 104 sometimes becomes 
unstable. 
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[063] Accordingly, the aforementioned range of the values which are held in the 
response probability memory, and the range of the collective values of the values obtained 
from the respective measurement units are appropriately determined, whereby the 
fluctuation of the number of data requests arriving at server 104 from client 101 can be 
relaxed to protect server 104. 

[064] Referring again to Fig. 4, when server computer protection apparatus 103 
has judged that the new data request from client 101 is to be transferred to server 104, data 
request transfer unit 202 transfers this data request to server 104 (stage 406). In contrast, 
when server computer protection apparatus 103 has judged that the new data request is not 
to be transferred, this data request is annulled from within data request acceptance unit 
201, and a new data request from client 101 is awaited again (stage 400). 

[065] When the data request from client 101 has been transferred to server 104, 
server 104 subsequently issues a response to this data request, and hence, server computer 
protection apparatus 103 transfers the response to client 101 (stage 408). 

[066] Finally, the number of completed requests is measured in accordance with 
the response by "number of data supplies" measurement unit 204, and the number of 
accepted requests as held in response probability calculation unit 205 is decreased by one 
(stage 410). If the connection from client 101 to server 104 is maintained, a similar 
operating flow is repeated again so as to await a new data request from client 101 toward 
server 104 (stage 400). 

[067] According to the server computer protection method based on such a flow, 
the server computer protection apparatus relaxes the influence of the DoS attack as 
burdens on the server and shuts it down, and does not stop the process of the client. 

[068] In another aspect related to the present invention, a server computer 
protection apparatus can be configured to separately maintain information of each client. 
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Fig. 5 shows an example of the construction of the server computer protection apparatus 
503 consistent with this aspect which is utilized in the network architecture show in Fig. 1. 
Server computer protection apparatus 503 includes a data request acceptance unit 502, a 
data request transfer unit 504, "number of data requests" measurement units 506, a 
"number of data supplies" measurement unit 508 and response probability calculation 
units 510. Server computer protection apparatus 503 differ from server computer 
protection apparatus 103 shown in Fig. 2 in that the apparatus includes a plurality of 
"number of data requests" measurement units 506 and response probability calculation 
units 510. Each measurement unit processes data request transmitted from each of clients 
101 (for example, clients 101-1, 101-2, 101-3), in correspondence with the respective 
client. 

[069] In order to separately execute the processes of the respective clients, it is 
necessary to discriminate which of the clients have transmitted the requests tobeprocessed. 
The discrimination can be achieved by referring to IP addresses in the header information 
of packets that are contained in the data requests transmitted from the respective clients 
which indicate transmission sources. Likewise, the client 101 destination of a server 104 
response can be discriminated by referring to an IP address in the header information of 
packets that are contained in the server response which indicates a destination. 

[070] The components of server computer protection apparatus 503 function 
similar to the component of server computer protection apparatus 103. 

[071] Fig. 6 shows an example of the operating flow of the server computer 
protection apparatus 503 consistent with an aspect related to the present invention. 

[072] After client 101 establishes a connection to server 104 through server 
computer protection apparatus 503, a set consisting of "number of data requests" 
measurement unit 506 and response probability calculation unit 510 is allotted to 
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predetermined client 101. Next, server computer protection apparatus 503 awaits a data 
request from client 101 toward server 104(stage 600). When the request for data has been 
made, "number of data requests" measurement unit 203 allotted to client 101 increases by 
one the number of accepted requests as held in response probability calculation unit 205 
which forms the set(stage 602). 

[073] Then, data request transfer unit 502 judges the data request from 
predetermined client 101 as accepted by the data request acceptance unit 201 to determine 
whether or not the data request may be transferred to server 104 by the data request 
transfer unit 202 (stage 604). In the judgment at the stage 604, the number of accepted 
requests which are not completed yet is used. 

[074] As the number of data responses within a predetermined time period is 
closer to the number of data requests accepted within the predetermined time period, that 
is, as the number of uncompleted accepted requests is smaller, server computer protection 
apparatus 503 judges that the load of server 104 attributed to the predetermined client 101 
is lighter. Conversely, as the number of data responses within the predetermined time 
period is smaller than the number of data requests accepted within the predetermined time 
period, that is, as the number of uncompleted accepted requests is larger, server computer 
protection apparatus 503 judges that server 104 completes a smaller number of processes 
responsive to the data requests from predetermined client 101 within the predetermined 
time period. That is, the server's load is heavier. In a case where the load on this 
occasion is extraordinarily heavy, server computer protection apparatus 503 can judge that 
server 104 may possibly be under a DoS attack. 

[075] For the reasons as stated above, the number of uncompleted accepted 
requests can be adopted as the load state of server 104 for the decision of the stage 604. 
This signifies that the number of uncompleted accepted requests is also usable for 
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discriminating if server 1 04 is under a DoS attack. At stage 604, server computer 
protection apparatus 503 determines whether or not the new data request from 
predetermined client 101 may be transferred in accordance with the number of 
uncompleted accepted requests. When the number of uncompleted accepted requests is 
small, server 104 can afford to respond and, therefore, server computer protection 
apparatus 503 judges that the new data request can be transferred. Conversely, when the 
number of uncompleted accepted requests is large, server 104 might be under a DoS attack 
and, therefore, server computer protection apparatus 503 judges that the new data request 
may need to be annulled. 

[076] Further, in addition to accepted and completed responses, criteria 
explained below can be included in the probability calculation unit 510 calculation of the 
response probability for data requests that are to be transferred the data request transfer 
unit 504. 

[077] The processing load of server 1 04 and the occupation of the 
communication line can also be used forjudging that server 104 may possibly be under a 
DoS attack. Since information indicating a data amount is affixed to communication data 
from client 101, the data amount of the data response of server 104 to a data request from 
client 101 can be measured by "number of data supplies" measurement unit 508. If the 
responsive data amount is large, server 104 expends a high cost in generating response 
data, i.e. more processing and resource allocation. Moreover, a time period to 
communicate the response data lengthens, and the occupation time of a communication 
line in the network increases. 

[078] If this criterion is utilized, the data amount of the data response is 
considered in the judgment at stage 604 as shown in Fig. 6 in which server computer 
protection apparatus 503 judges whether or not the data request from client 101 as 
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accepted by data request acceptance unit 502 may be transferred to server 104 by data 
request transfer unit 504. 

[079] That is, at stage 604, server computer protection apparatus 503 judges 
whether or not the new data request from the client 101 may be transferred in accordance 
with the data amount of the data response. When the data amount is smaller, server 104 
can afford to respond and, therefore, server computer protection apparatus 503 judges that 
the new data request can to be transferred. Conversely, when the data amount is larger, 
server 104 might be under a DoS attack and, therefore, server computer protection 
apparatus 503 judges that the new data request may need to be annulled. 

[080] Data requests, and data responses to them by server 104 are respectively 
endowed with corresponding sequence numbers. It is therefore possible to specify which 
of the data requests a certain data response corresponds to. As another criterion, this 
information can be included in probability calculation unit 205 calculation of the response 
probability for data requests that are to be transferred by data request transfer unit 504. 

[081] In this case, it is assumed that server 104 has responded to a certain data 
request from client 101. Assuming that an acknowledgment for the data response has not 
thereafter been obtained from client 101 for a predetermined time period, server 104 
judges that the pertinent data response has not arrived at the client 101, and server 104 
attempts to resend the data response. As stated above, "number of data supplies" 
measurement unit 508 can specify which of the data requests the resent data response 
corresponds. 

[082] By considering this criterion, server computer protection apparatus 503 
enables server 104 to reliably communicate with client 101, and determine when client 
101 intentionally sends back no acknowledgment. In such a case, server 104 repeats 
resending limitlessly, and in turn, server 104 is burdened with a useless processing load. 
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Simultaneously, server 104 ties up the communication line on account of the useless 
resending. Thus, server computer protection apparatus 503 can judge that server 104 may 
possibly be under a DoS attack. 

[083] If this criterion is utilized, the number of times of resending of the data 
response is considered in the judgment at stage 604 as shown in Fig. 6 in which server 
computer protection apparatus 503 judges whether or not the data request from client 101 
as accepted by data request acceptance unit 502 may be transferred to server 104 by data 
request transfer unit 504. 

[084] That is, at stage 604, whether or not the new data request from client 101 
may be transferred is judged in accordance with the number of times of resending of the 
data response. When the number of times of resending is larger, the possibility of a DoS 
attack against server 104 is higher, and server computer protection apparatus 503 can 
judge that the new data request may need to be annulled. 

[085] As mentioned above, data request acceptance unit 502 accepts the data 
request from client 101 as proxy for server 104. When the connection with server 104 as 
requested by client 101 has been wrongfully cut off, data request acceptance unit 502 can 
detect the wrongful cutoff. The "wrongful cutoff signifies cutoff based on the detection 
of the fact that a normal communication can no longer be kept due to the transmission, 
flow or the like of, for example, an abnormal command which does not conform to a 
protocol for use in communication. Also, "wrongful cutoff includes the reception of a 
one-sided forced cutoff request or the like from client 101. 

[086] When server 104 receives an abnormal command, flow, or the forced 
cutoff request, the server client network must execute a recovery process of 
communication resources because the received item is unexpected data. In the presence 
of any renewed application which is activated in server 104, the server/client network also 
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must perform a renewal cancellation process such as roll-back because of the recovery 
process. These processes often require server 104 to endure heavy loads. When such 
abnormal communications are repeated, the load of server 104 increases, and the 
processing efficiency of the server 104 decreases drastically. Also in this case, server 
computer protection apparatus 503 can judge that server 104 may possibly be under a DoS 
attack. 

[087] The number of times of the abnormal communications is considered in the 
judgment at stage 604 as shown in Fig. 6 in which server computer protection apparatus 
503 judges whether or not the data request from client 101 as accepted by data request 
acceptance unit 502 may be transferred to server 104 by data request transfer unit 504. 

[088] That is, at stage 604, whether or not the new data request from client 101 
may be transferred is judged in accordance with the number of times of the abnormal 
communications. As the number of times is larger, the possibility of the DoS attack 
against the server 104 is higher, and, therefore, server computer protection apparatus 503 
judges that the new data request is to be annulled. 

[089] Accordingly, by setting several criteria as described above, server 
computer protection apparatus 503 can effectively prevent DoS attack. 

[090] In another example, in the calculation of the response probability by the 
response probability calculation unit 510, response probability calculation unit 510 can 
include a response probability memory and to consider a value stored in this memory, as 
described below. 

[09 1 ] Response probability calculation unit 5 1 0 judges the load of server 1 04 as 
applied by the corresponding client, on the basis of information items which are acquired 
from "number of data requests" measurement unit 506, "number of data supplies" 
measurement unit 508 and data request acceptance unit 502. In this example, a calculated 
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value is not directly converted into the load situation of server 104 for judgment, but the 
value is referenced to the value stored in the response probability memory of response 
probability calculation unit 510. 

[092] In the calculations of server computer protection apparatus 503, the values 
obtained from the respective measurement units have been collectively converted into 
values which indicate load levels of "0" to "10". Depending upon the values obtained 
from the respective measurement units, the load level of server 104 might violently 
change from "0" to "10", and the response probability to be calculated can greatly 
fluctuate. 

[093] Therefore, the values obtained from the respective measurement units are 
collectively converted into a value which falls within a range of ±2. Subsequently, 
response probability calculation unit 510 adds the value collectively obtained to the value 
which is stored in the response probability memory. Then, the value fluctuates only 
within the range of ±2 by one time of measurement, and server computer protection 
apparatus 503 can suppress the great fluctuation of the response probability as in the 
above example based on the assumption that the response probability memory holds the 
values of"0" to "10". 

[094] Assuming that the fluctuation of the response probability proceeds too 
rapidly, the load on server 104 is not constant, and server 104 sometimes becomes 
unstable. 

[095] Accordingly, the aforementioned range of the values which are held in the 
response probability memory, and the range of the collective values of the values obtained 
from the respective measurement units are appropriately determined, whereby the 
fluctuation of the number of data requests arriving at server 104 from client 101 can be 
relaxed to protect server 104. 
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[096] Referring again to Fig. 6, when server computer protection apparatus 503 
has judged that the new data request from predetermined client 101 is to be transferred to 
the server 104, data request transfers unit 504 transfers this data request is transferred to 
server 104 (stage 606). In contrast, if server computer protection apparatus 503 has 
judged that the new data request is not to be transferred, this data request is annulled from 
within data request acceptance unit 502, and a new data request from predetermined client 
101 is awaited again (stage 600). 

[097] When the data request from predetermined client 101 has been transferred 
to server 104, server 104 issues a response to this data request, and hence, server computer 
protection apparatus 503 transfers the response to predetermined client 101 (stage 608). 

[098] Finally, the number of completed requests is measured in accordance 
with the response by "number of data supplies" measurement unit 508, and the number of 
accepted requests as held in response probability calculation unit 510 allotted to the 
predetermined client 101 is decreased by one (stage 610). If the connection from 
predetermined client 101 to server 104 is maintained, a similar operating flow is repeated 
again so as to await a new data request from predetermined client 101 toward server 104 
(stage 600). 

[099] According to the server computer protection method based on such a flow, 
the server computer protection apparatus relaxes the influence of the DoS attack as 
burdens the server and shuts it down, which does not stop the process of the client , and 
which provides a control for server computer protection as is subtle for each client. 

[0100] In another aspect related to the present invention, a server computer 
protection apparatus can receive processing situation information from a server. Fig. 7 
shows an example of the construction of server computer protection apparatus 703 
consistent with this aspect which is utilized in the network architecture show in Fig. 1. 
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Server computer protection apparatus 703 includes a data request acceptance unit 702, a 
data request transfer unit 704, a response probability calculation unit 706 and a processing 
situation reception unit 708. 

[0101] After client 101 has established its connection with server 104 through 
server computer protection apparatus 703, client 101 transmits a request for data necessary 
for a process, to server 1 04 through server computer protection apparatus 703. On this 
occasion, the request upon server 104 is accepted by data request acceptance unit 702. 

[0102] Then, the request accepted by data request acceptance unit 702 is 
transferred toward server 104 by data request transfer unit 704. In response, server 104 
transmits the data corresponding to the transferred request, toward client 101 which made 
the request, through server computer protection apparatus 703. 

[0103] Processing situation reception unit 708 receives from server 104, 
information on the processing situation of server 104 itself. Concretely, the information 
is, for example, the load situation of server 104 at the transmission. The information 
which is supplied by server 104 may well contain a proceeding situation of the process of 
server 104 or the processed result of server 104 which is linked with the data request 
accepted by data request acceptance unit 702. In this case, the information makes known, 
for example, that a certain data request and a load applied to server 104 by an application 
activated for processing the data request are associated with each other. 

[0104] When the processing situation information acquired from server 104 at a 
predetermined time interval or at any desired timing is analyzed, server computer 
protection apparatus 703 can determine the relation between the data request made by 
client 101 and the load situation of server 104. For example, after a certain data request 
has been made by client 101, the load of server 104 fluctuates suddenly. If client 101 
successively makes data requests and the load of server 104 is suddenly heightened, the 
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processing ability of server 104 will be drastically decreased. In turn, all services offered 
by server 104 might be stopped. This can mean that server 104 is under a DoS attack 
from client 101. In order to avoid the shutdown of server 104, the administrator of server 
104 must promptly stop requests which are transmitted from clients 101 to server 104. 

[0105] However, assuming that clients 101 are merely making legal data requests 
until requests are stopped, the processes of the applications activated in clients 101 are 
interrupted or disabled by the determination of a required shutdown. 

[0106] In order to reduce interruption as stated above, response probability 
calculation unit 706 calculates a response probability on the basis of the processing 
situation information, at least, each time the information is acquired from server 104. 
Subsequently, response probability calculation unit 706 supplies the response probability 
to data request transfer unit 704. The "response probability" termed here signifies the 
ratio of the number of data responses made within a predetermined time period by server 
104, to the number of data requests accepted from clients 101 within the predetermined 
time period. When the ratio is large, data request transfer unit 704 increases the number 
of data requests which are to be transferred to server 104 within the predetermined time 
period, among the data requests accepted within the predetermined time period. 
Conversely, when the ratio is small, data request transfer unit 202 decreases the number of 
data requests which are to be transferred to server 104 within the predetermined time 
period. 

[0107] Data request acceptance unit 702 annuls data requests which are not 
transferred by data request transfer unit 704 because the number of requests to be 
transferred within the predetermined time period has been decreased. Alternatively, data 
request acceptance unit 702 can retain the data requests. In the case where the data 
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requests are retained without being annulled, a constituent for transferring the retained 
data requests asynchronously to new data requests is required. 

[0108] As described above, when the response probability calculation unit 706 
judges the load of server 104 is light, from the processing situation information acquired 
from the server 104, response probability calculation 706 calculates the response 
probability to be high. When response probability calculation 706 judges the load of the 
server 104 is heavy, response probability calculation 706 calculates the response 
probability to be low. 

[0109] The process provides a server computer protection apparatus which 
relaxes the influence of the DoS attack as burdens on the server and shuts it down, and 
which does not stop the process of the client . 

[01 10] Figs. 8 A and 8B show examples of the operating flows of server computer 
protection apparatus 703 consistent with an aspect related to the present invention. 

[0111] The flow shown in Fig. 8 A is for acquiring processing situation 
information from server 104. On the other hand, Fig. 8B shows the flow in which a data 
request is accepted from client 101 and is delivered to server 104. The two flows are 
processed asynchronously. 

[01 12] First, as illustrate in Fig. 8A, in order to acquire from server 104 the 
information on the server process, processing situation reception unit 708 awaits the 
transmission of the information (stage 800). Subsequently, server computer protection 
apparatus 703 determines whether or not the information has been normally acquired 
(stage 802). In a case where the information has been normally acquired, processing 
situation reception unit 708 decides the processing load of server 104 (stage 804). The 
process shown in Fig. 8A is executed each time the processing situation information is 



26 



F I N N EC AN 
HENDERSON 
FARABOW 
GARRETT & 
DUNNERLLf 

1300 1 Street, NW 
Washington, DC 20005 
202.408.4000 
Fax 202.408.4400 
www.finnegan.com 



acquired from server 104, and the situation of the processing load of server 104 is 
determined in real time. 

[0113] In a case where the processing situation information has not been acquired 
at stage 802, server computer protection apparatus 703 awaits the transmission of the 
information (stage 800). 

[0114] Next, Fig. 8B will be described. 

[01 15] After the connection has been established from client 101 to server 104 
through server computer protection apparatus 703, a data request from client 101 toward 
server 104 is awaited (stage 806). 

[0116] The data request from client 101 as accepted by data request acceptance 
unit 702 is judged as to whether or not it may be transferred to server 104 by data request 
transfer unit 704 (stage 808). In the judgment at stage 808, the processing load of server 
1 04 as decided by processing situation reception unit 708 is used. When the load is low, 
server 104 can afford to respond, and server computer protection apparatus 703 judges 
that the new data request can be transferred. Conversely, when the load is higher, server 
104 might be under a DoS attack, and server computer protection apparatus 703 judges 
that the new data request may need to be annulled. 

[0117] Further, in addition to load data, criteria explained below can be included 
in response probability calculation unit 706 calculation of the response probability for data 
requests that are to be transferred by data request transfer unit 704. 

[0118] When the processing situation information items of server 104 are derived 
in succession, a feature can be found in a data request and the load of server 104 in some 
cases. For example, after a certain data request has been accepted by data request 
acceptance unit 702 and transferred by data request transfer unit 704, the load of the 
process of server 104 rises suddenly. 
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[0119] When such a sudden rise has been found, server computer protection 
apparatus 703 can judge that the server 104 may possibly be under a DoS attack. 

[0120] Whether or not the tendency for a sudden rise of the processing load is 
considered in the judgment at stage 808. As shown in Fig. 8B, server computer 
protection apparatus 703 judges whether or not the data request from client 101 as 
accepted by data request acceptance unit 702 may be transferred to server 104 by data 
request transfer unit 704. 

[0121] That is, at stage 808, server computer protection apparatus 703 judges 
whether or not the new data request from client 101 may be transferred in consideration of 
the tendency of the load. If a sudden rise of the load is found, there is the possibility that 
server 104 will be under a DoS attack, and server computer protection apparatus 703 
judges that the new data request may need to be annulled. 

[0122] Conversely, the load of server 104 sometimes lowers suddenly as soon as 
a certain data request from client 101 is canceled. When the processing load lowers 
suddenly, server computer protection apparatus 703 can judge that server 104 may 
possibly have been under the DoS attack. 

[0123] Whether or not the tendency to the sudden lowering of the processing load 
is also considered in the judgment at stage 808. As shown in Fig. 8B, server computer 
protection apparatus 703 judges whether or not the data request from client 101 as 
accepted by data request acceptance unit 702 may be transferred to server 104 by data 
request transfer unit 704. 

[0124] That is, at stage 808, server computer protection apparatus 703 judges 
whether or not the new data request from client 101 may be transferred in consideration of 
the tendency of the load. If a sudden lowering of the load is found, there is the possibility 
that server 104 will have been under a DoS attack, and server computer protection 
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apparatus 703 judges that a new data request is to be annulled without being easily 
accepted. 

[0125] In another example, in the calculation of the response probability by 
response probability calculation unit 706, response probability calculation unit 706 can 
include a response probability memory and consider a value stored in this memory, as 
described below. 

[0126] Response probability calculation unit 706 judges the load of server 104 on 
the basis of the processing situation information of server 104 as received by processing 
situation reception unit 708. In this example, a calculated value is not directly converted 
into load situation of server 104 for judgment, but the value is referenced to the value 
stored in the response probability memory of response probability calculation unit 706. 

[0127] In the calculation of server computer protection apparatus 703, the values 
obtained from the units 702 and 708 have been collectively converted into values which 
indicate load levels of "0" to "10". Depending upon the values obtained from the 
respective units, the load level of server 104 might violently change from "0" to "10", and 
the response probability to be calculated can greatly fluctuate. 

[0128] Therefore, the values obtained from the respective units 702 and 708 are 
collectively converted into a value which falls within a range of ±2. Subsequently, 
response probability calculation unit 706 adds the value collectively obtained to the value 
which is stored in the response probability memory. Then, the value fluctuates only 
within the range of ±2 by one time of measurement, and server computer protection 
apparatus 703 suppresses the great fluctuation of the response probability as in the above 
example based on the assumption that the response probability memory holds the values 
of"0"to"10". 
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[0129] Assuming that the fluctuation of the response probability proceeds too 
rapidly, the load on server 104 is not constant, and server 104 sometimes becomes 
unstable. 

[0130] Accordingly, the aforementioned range of the values which are held in the 
response probability memory, and the range of the collective values of the values obtained 
from respective units 702 and 708 are appropriately determined, whereby the fluctuation 
of the number of data requests arriving at server 104 from client 101 can be relaxed to 
protect server 104. 

[0131] Referring again to Fig. 8„ when server computer protection apparatus 703 
has judged that the new data request from client 101 is to be transferred to server 104, data 
request transfer unit 704 transfers this data request to server 104 (stage 810). In contrast, 
when server computer protection apparatus 703 has judged that the new data request is not 
to be transferred, this data request is annulled from within data request acceptance unit 
702, and a new data request from client 101 is awaited again (stage 806). 

[0132] When the data request from client 101 has been transferred to server 104, 
server 104 subsequently issues a response to this data request, and hence, server computer 
protection apparatus 703 transfers the response to client 101 (stage 812). 

[0133] If the connection from client 101 to server 104 is maintained, a similar 
operating flow is repeated again so as to await a new data request from client 101 toward 
server 104 (stage 806). 

[0134] According to the server computer protection method based on such a flow, 
the server computer protection apparatus relaxes the influence of the DoS attack as 
burdens the server and shuts it down, and does not stop the process of the client. 

[0135] In another aspect related to the present invention a server computer 
protection apparatus can receive processing situation information for a server in relation to 
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each client. Fig. 9 shows an example of the construction of server computer protection 
apparatus 903 consistent with this aspect which is utilized in the network architecture 
shown in Fig. 1 . Server computer protection apparatus 903 includes a data request 
acceptance unit 902, a data request transfer unit 904, response probability calculation units 
906 and a processing situation reception unit 908. 

[0136] Server computer protection apparatus 903 differs form server computer 
protection apparatus 703 in a plurality of response probability calculation units 906 are 
included. The plurality of measurement units process the transfers of data requests 
transmitted from the plurality of clients 101 (for example, clients 101-1, 101-2, 101-3), in 
correspondence with the respective clients. 

[0137] In order to separately execute the processes of the each client, server 
computer protection apparatus 903 can discriminate which clients have transmitted the 
requests to be processed. Server computer protection apparatus 903 discriminates the 
clients by referring to IP addresses in the header information of packets that are contained 
in the data requests transmitted from the respective clients which indicate transmission 
sources. Server computer protection apparatus 903 discriminates a server response by 
referring to an IP address in the header information of packets that are contained in the 
server response which indicates a destination. 

[0138] The components of server computer protection apparatus 903 function 
similarly to the component of server computer protection apparatus 703. 

[0139] Figs. 10A and 10B show examples of the operating flows of server 
computer protection apparatus 903 consistent with an aspect related to the present 
invention. 

[0140] The flow shown in Fig. 10A is for acquiring processing situation 
information from server 104. On the other hand, Fig. 10B shows the flow in which a data 
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request is accepted from client 101 and is delivered to server 104. The two flows are 
processed asynchronously. 

[0141] First, as shown in Fig. 10A, in order to acquire from server 104 the 
information on the server process, the processing situation reception unit 908 awaits the 
transmission of the information (stage 1000). Subsequently, server computer protection 
apparatus 903 determines whether or not the information has been normally acquired 
(stage 1002). In a case where the information has been normally acquired, processing 
situation reception unit 908 decides the processing load of server 104 for each client and 
every client (stage 1004). The process shown in Fig. 10A is executed each time the 
processing situation information is acquired from server 104, and the situation of the 
processing load of server 104 as applied by each client is determined in real time. 

[0142] In a case where the processing situation information has not been acquired 
at stage 1002, server computer protection apparatus 903 awaits the transmission of the 
information (1000). 

[0143] Next, Fig. 10B will be described. 

[0144] After the connection has been established from client 101 to server 104 
through server computer protection apparatus 903, and response probability calculation 
unit 906 has been allotted to a particular client 101, server computer protection apparatus 
903 awaits a data request from the client 101 toward the server 104 (stage 1006). 

[0145] The data request from predetermined client 101 as accepted by the data 
request acceptance unit 902 is judged as to whether or not it may be transferred to server 
104 by the data request transfer unit 904 (stage 1008). In the judgment at stage 1008, the 
processing load of server 104 as decided by processing situation reception unit 908 is 
used. When the load is low, server 104 can afford to respond to a particular client 101, 
and server computer protection apparatus 903 judges that the new data request can be 
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transferred. Conversely, when the load is high, there is the possibility that server 104 will 
be under a DoS attack from the particular client, and server computer protection apparatus 
903 judges that the new data request may need to be annulled. 

[0146] Further, in addition to load data, criteria explained below can be included 
in response probability calculation unit 906 calculation of the response probability for data 
requests that are to be transferred by data request transfer unit 904. 

[0147] When the processing situation information items of server 104 are derived 
in succession, a feature can be found in data requests from predetermined clients and the 
load of server 104 in some cases. For example, where, after a certain data request has 
been accepted by data request acceptance unit 902 and transferred by data request transfer 
unit 904, the load of the process of server 104 rises suddenly. 

[0148] When such a sudden rise has been found, server computer protection 
apparatus 903 can judge that server 104 may possibly be under a DoS attack. 

[0149] Whether or not the tendency for a sudden rise of the processing load is 
considered in the judgment at stage 1008. As shown in Fig. 9B, server computer 
protection apparatus 903 judges whether or not the data request from client 101 as 
accepted by data request acceptance unit 902 may be transferred to server 104 by data 
request transfer unit 904. 

[0150] That is, at stage 1008, server computer protection apparatus 903 judges 
whether or not the new data request from client 101 may be transferred in consideration of 
the tendency of the load. If a sudden rise of the load is found for a predetermined client, 
there is the possibility that server 104 will be under a DoS attack from that client, and 
server computer protection apparatus 903 judges that the new data request from that client 
may need to be annulled. 
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[0151] Conversely, the load of server 104 sometimes lowers suddenly as soon as 
a certain data request from client 101 is canceled. When the processing load lowers 
suddenly for a predetermined client, server computer protection apparatus 903 can judge 
that server 104 may possibly have been under a DoS attack from that client. 

[0152] Whether or not the tendency to the sudden lowering of the processing load 
is also considered in the judgment at stage 1008. As shown in Fig. 10B, server computer 
protection apparatus 903 judges whether or not the data request from client 101 as 
accepted by data request acceptance unit 902 may be transferred to server 104 by data 
request transfer unit 904. 

[0153] That is, at stage 1008, server computer protection apparatus 903 judges 
whether or not the new data request from client 101 may be transferred in consideration of 
the tendency of the load. If a sudden lowering of the load is found, there is the possibility 
that server 104 will have been under a DoS attack from that client, and server computer 
protection apparatus 903 judges that a new data request from that client is to be annulled 
without being easily accepted. 

[01 54] In another example, in the calculation of the response probability by 
response probability calculation unit 906, response probability calculation unit 906 can 
include a probability memory and consider a value stored in this memory, as described 
below. 

[0155] Response probability calculation unit 906 judges the load of server 104 as 
applied by the corresponding client, on the basis of the processing situation information of 
server 104 as received by processing situation reception unit 908. In this example, a 
calculated value is not directly converted into the load situation of server 104 for 
judgment, but the value is referenced to the value stored in the response probability 
memory of response probability calculation unit 906.. 
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[0156] In the calculation of server computer protection apparatus 903, values 
obtained from units 902 and 908 have been collectively converted into values which 
indicate load levels of "0" to "10". Depending upon the values obtained from the 
respective units, the load level of the server 104 might violently change from "0" to "10", 
and the response probability to be calculated can greatly fluctuate. 

[0157] Therefore, the values obtained from the respective units 902 and 908 are 
collectively converted into a value which falls within a range of ±2. Subsequently, 
response probability calculation unit 906 adds the value collectively obtained to the value 
which is stored in the response probability memory. Then, the value fluctuates only 
within the range of ±2 by one time of measurement, and server computer protection 
apparatus 903 can suppress the great fluctuation of the response probability as in the 
above example based on the assumption that the response probability memory holds the 
values of"0"to "10" 

[0158] Assuming that the fluctuation of the response probability proceeds too 
rapidly, the load on server 104 is not constant, and server 104 sometimes becomes 
unstable. 

[0159] Accordingly, the aforementioned range of the values which are held in the 
response probability memory, and the range of the collective values of the values obtained 
from the respective units 902 and 908 are appropriately determined, whereby the 
fluctuation of the number of data requests arriving at server 104 from client 101 can be 
relaxed to protect server 104. 

[0160] Referring again to Fig. 9, when server computer protection apparatus 903 
has judged that the new data request from predetermined client 101 is to be transferred to 
server 104, data request transfer unit 904 transfers this data request to server 104 (stage 
1010). In contrast, when server computer protection apparatus 903 has judged that the 
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new data request is not to be transferred, this data request is annulled from within the data 
request acceptance unit 902, and a new data request from predetermined client 101 is 
awaited again (stage 1006). 

[0161] When the data request from predetermined client 1 0 1 has been transferred 
to server 104 server 104, subsequently issues a response to this data request, and hence, 
server computer protection apparatus 903 transfers the response to predetermined client 
101 (stage 1012). 

[0162] If the connection from predetermined client 101 to server 104 is 
maintained, a similar operating flow is repeated again so as to await a new data request 
from predetermined client 101 toward server 104 (stage 1006). 

[0163] According to the server computer protection method based on such a flow, 
the server computer protection apparatus relaxes the influence of the DoS attack as 
burdens the server and shuts it down, which does not stop the process of the client, and 
which provides a control for server computer protection as is subtle for each client. 

[0164] As a modification to each aspect, a server 104 can incorporate the server 
computer protection apparatus 103, 503, 703, or 903 according to each aspect. Owing to 
such incorporation, it is unnecessary to separately and individually build server 104 which 
processes data requests from clients 101, and the server computer protection apparatus 
which is disposed for the purpose of protecting server 104 against DoS attacks from 
unspecified clients 101. Therefore, the communication between server computer 
protection apparatus and server 104 need not be performed through a network or the like. 

[0165] With the server computer protection apparatus so incorporated, a time 
period having been required for the communication of each proxy response can be 
excluded. Further, when compared with server 104 protected by a server computer 
protection apparatus as requiring a plurality of enclosures, server 104 with the server 
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computer protection apparatus incorporated therein can reduce a space necessary for 
installation because the same function will be attainable with a single enclosure. 

[0166] Other aspect related to the invention will be apparent to those skilled in 
the art from consideration of the specification and practice of the invention disclosed 
herein. It is intended that the specification and examples be considered as exemplary 
only, with a true scope and spirit of the invention being indicated by the following claims. 
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